The views of one man on security, privacy and anything else that catches his attention. The views expressed on this blog do not reflect the views of my employer or anyone other than myself.

Archive for April, 2005

There have a rash of malicious sites that have URL’s that are one mistype away from other high traffic sites. This is nothing new, as there’ve been this type of site around since the creation of the modern Internet. Anyone remember whitehouse.com? The new sites are taking it a little farther than simply offering you porn; their apparently downloading software to your system automatically, with or without your permission. One report mentioned over 20 different spyware products that we’re being downloaded by a single site.

Earlier this week marked one year’s worth of tracking traffic to my site. Around the same time, I received the 10,000th visit to my site. Lies, damn lies, and statistics. A cool milestone to hit, but the numbers don’t mean anything in the real wold.

I won’t be posting much for the next week or two. Heavy duty project coming up, need the time for preparations. Should be a fun IDS project. I’ll see what I can write about here without disclosing too much.

Performed some site maintenance over the weekend, retiring my Coyote Linux firewall, installing a new router, reconfiguring the web page due to some determined comment spammers. I need two aspirin and a nap. I even forgot my laptop at home this morning. I’m gonna take the rest of the day off.

First of all, this post has nothing to do with security, I just felt like ranting for a couple of minutes.

Over the last few days I’ve had two brushes with customer service, one of which left me feeling good, the other, well, the other just didn’t. Years ago I worked in the service industry, which left me with a critical eye for how others perform their customer service. As with many things in my life, I like to compliment the good behaviors and call out the bad ones. This is a rather long rant, so I’ve placed most of it in the extended entry.

I received the following email from Michael Surkan at Microsoft. After asking him to verify his identity, a little looking around let me know I’m not the first to receive the same request. I’m posting the link because I think it’s more important to give feedback and have some small influence on the direction MS is going. The survey takes about 10 minutes to take, and is relatively innocuous. Make up your own mind about whether you want to take it or not.

And here’s a link to someone who did a lot more checking into Mr. Surkan, though this was about a different survey he was looking for input on. The author of this page declined Mr. Surkan’s request because he feels Microsoft is just trying to get something for nothing. I feel this is kind of like voting for President; if you didn’t vote, you have no right to complain.

Martin,

I am trying to collect customer input on some networking features Microsoft is considering in Longhorn that I thought you might want to pass on to some of your blog readers. If you think the current project I am working on would be of interest to your blog readers, I would love it if you could post my survey link. If you don?t think this would be of interest to your readers that?s ok.

The Microsoft network product team is investigating ways of resolving peer-to-peer connectivity problems in Longhorn, and we would like to get customer feedback to help validate some of the design proposals.

Today, there are many situations where users are unable to run such functions as remote assistance, voice/video conversations, and many other peer-to-peer functions because of firewalls, NATs and other network configuration problems. Our goal is to build networking technology into the operating system that will overcome many of these problems, allowing these peer-to-peer scenarios to ?just work?.

This survey outlines some of the proposals for resolving these connectivity problems, and asks for feedback on them. We would love to get the opinions from a wide range of users, and markets (e.g. consumers, large IT departments, etc) since this would have implications for everyone.

I wasn’t even aware that the Federal Election Committee was trying to regulate the Internet, but I’m glad someone is trying to step up and stop them. I’ll be one of the first to admit that the ‘wild west’ environment of the Internet has to end some time, but the limitations the FEC would like to put in place are not the way to go. I’m also a big supporter of campaign finance reform, but I don’t think the Internet should fall under the FEC pervue.

The admissions – under oath, finally – that these companies gladly covered up their blunders and misdeeds, until required by California law to notify victims, proves that regulation is essential to keeping them honest.

I’m normally of the mindset that government should stay out of business as much as possible. But when I hear about what businesses are willing to do, and more importantly, what they’re willing to do to us, I feel myself wanting more government involvement. One thing that worries me about this is that SB1386 (the California law referred to in the article) specifically exempts state and federal governments. If businesses are willing to cover up comprimises, what’s to stop the government from doing the same?

I recieved this in my email yesterday, courtesy of the NT BugTraq mailing list. Given the difficulty in contacting Microsoft some people have reported in the past, I’m glad they’re being proactive in getting this information out there. Now to wait and see if they actually respond in a meaningful way to issues reported through the email and web site.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Hello!

The Microsoft Security Response Center investigates all reports of
security vulnerabilities sent to us that affect Microsoft products.
If you believe you have found a security vulnerability affecting a
Microsoft product, we would like to work with you to investigate it.

We are concerned that people might not know the best way to report
security vulnerabilities to Microsoft. You can contact the Microsoft
Security Response Center to report a vulnerability by emailing
secure@microsoft.com directly, or you can submit your report via our
web-based vulnerability reporting form located at:
https://www.microsoft.com/technet/security/bulletin/alertus.aspx.

They list this as an intermediate skill level. I’ve tried a couple of these before, and their not easy. If I can find the time to run through this, I’ll post my results here. If you have the time to run through it, drop me a line so I can see what you found.